Hi NXP support,
I face the iMX6 secure boot issue on our project. The following is the detailed information.
we have the customised i.MX6SOLO rev1.4 board by using U-Boot 2018.03-imx_v2018.03_4.14.98_2.0.0_ga (imx-yocto-L4.14.98_2.0.0_ga). The u-boot boots up successfully from eMMC with HAB enabled, but it shows the following HAB events.
Secure boot disabled
HAB Configuration: 0xf0, HAB State: 0x66
--------- HAB Event 1 -----------------
event data:
0xdb 0x00 0x24 0x42 0x69 0x30 0xe1 0x1d
0x00 0x04 0x00 0x02 0x40 0x00 0x36 0x06
0x55 0x55 0x00 0x03 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x00 0x00 0x00 0x01
STS = HAB_WARNING (0x69)
RSN = HAB_ENG_FAIL (0x30)
CTX = HAB_CTX_ENTRY (0xE1)
ENG = HAB_ENG_CAAM (0x1D)
--------- HAB Event 2 -----------------
event data:
0xdb 0x00 0x08 0x42 0x33 0x22 0x0a 0x00
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ADDRESS (0x22)
CTX = HAB_CTX_AUTHENTICATE (0x0A)
ENG = HAB_ENG_ANY (0x00)
--------- HAB Event 3 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x17 0x7f 0xf4 0x00
0x00 0x00 0x00 0x20
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)
--------- HAB Event 4 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x17 0x7f 0xf4 0x2c
0x00 0x00 0x02 0x90
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)
--------- HAB Event 5 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x17 0x7f 0xf4 0x20
0x00 0x00 0x00 0x01
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)
--------- HAB Event 6 -----------------
event data:
0xdb 0x00 0x14 0x42 0x33 0x0c 0xa0 0x00
0x00 0x00 0x00 0x00 0x17 0x80 0x00 0x00
0x00 0x00 0x00 0x04
STS = HAB_FAILURE (0x33)
RSN = HAB_INV_ASSERTION (0x0C)
CTX = HAB_CTX_ASSERT (0xA0)
ENG = HAB_ENG_ANY (0x00)
Actually there are two kind of events (HAB_ENG_FAIL and HAB_INV_ADDRESS). I don't fully understand HAB event 1. if I use u-boot-2018.05 from u-boot official website, it will have HAB event 2 to 6, and HAB event 1 is gone. I really have a concern about HAB_INV_ADDRESS. I check CSF PTR by od command on u-boot.imx image, and it matches with the value on the target board eMMC area.
$ od -X -N 0x20 u-boot.imx
0000000 402000d1 17800000 00000000 177ff42c
0000020 177ff420 177ff400 178b4000 00000000
0000040
=> md 0x177ff400
177ff400: 402000d1 17800000 00000000 177ff42c .. @........,...
177ff410: 177ff420 177ff400 178b4000 00000000 ........@......
177ff420: 177ff000 000b500c 00000000 409002d2 .....P.........@
177ff430: 048c02cc 68400c02 3f3fc000 6c400c02 ......@h..??..@l
177ff440: 30fc3000 70400c02 00c0ff0f 74400c02 .0.0..@p......@t
177ff450: 0ff0f03f 78400c02 00f3ff00 7c400c02 ?.....@x......@|
177ff460: c300000f 80400c02 ff030000 60400c02 ......@.......@`
177ff470: fb000000 10000e02 cf0000f0 18000e02 ................
...
=> md 0x178b400
178b4000: 425000d4 000c00be 00001703 50000000 ..PB...........P
178b4010: 020c00be 01000009 90040000 000c00ca ................
178b4020: 001dc501 e4070000 000c00be 02000009 ................
178b4030: e8090000 001400ca 001dc502 3c0d0000 ...............<
178b4040: 00f47f17 004c0b00 1d0800b2 02000000 ......L.........
178b4050: 404004d7 210f01e1 80000000 03000001 ..@@...!........
178b4060: c9a7d4b7 bd2d20b5 31fbf7ac 747d2c6b ..... -....1k,}t
178b4070: 671958b5 783295ec c87a6b80 43432646 .X.g..2x.kz.F&CC
...
Also, you can see there is the valid data in CSF section on the target board. I set the size of CSF file in imximage.cfg as 0x2000. I'm enclosed csf file for your reference.
#Illustrative Command Sequence File Description
[Header]
Version = 4.2
Security Configuration = Open
Hash Algorithm = sha256
Engine Configuration = 0
Certificate Format = X509
Signature Format = CMS
Engine = CAAM
[Install SRK]
File = "../crts/SRK_1_2_3_4_table.bin"
# Index of the key location in the SRK table to be installed
Source index = 0
[Install CSFK]
# Key used to authenticate the CSF data
File = "../crts/CSF1_1_sha256_2048_65537_v3_usr_crt.pem"
[Authenticate CSF]
[Install Key]
# Key slot index used to authenticate the key to be installed
Verification index = 0
# Target key slot in HAB key store where key will be installed
Target Index = 2
# Key to install
File= "../crts/IMG1_1_sha256_2048_65537_v3_usr_crt.pem"
[Authenticate Data]
# Key slot index used to authenticate the image data
Verification index = 2
# Address Offset Length Data File Path
Blocks = 0x177ff400 0x00000000 0x000b4c00 "u-boot.imx"
The following are the couple of commands to generate u-boot signed image file
$ ../linux64/bin/cst --o u-boot_csf.bin --i u-boot.csf
$ objcopy -I binary -O binary --pad-to 0x2000 --gap-fill=0x00 u-boot_csf.bin u-boot_csf_pad.bin
$ cat u-boot.imx u-boot_csf_pad.bin > u-boot-signed.imx
$ ls -al
-rw-rw-r-- 940 Apr 13 11:20 u-boot.csf
-rw-rw-r-- 1 3904 Apr 14 10:05 u-boot_csf.bin
-rw-rw-r-- 1 8192 Apr 14 10:05 u-boot_csf_pad.bin
-rw-rw-r-- 1 740352 Apr 14 10:03 u-boot.imx
-rw-rw-r-- 1 748544 Apr 14 10:05 u-boot-signed.imx
By check the size of u-boot-signed.imx, you can see I don't pad u-boot.imx image file. What are the possibilities to have the HAB envents 1 to 6, especially for HAB_INV_ADDRESS. I am really appreciated if you could help me fix this HAB boot issue.
Thank you very much,
Jerry